The U.S. Senate Infrastructure Bill: Securing Our Electrical Grid Through P3s and Grants
As we begin to better understand the main components of the Infrastructure Investment and Jobs Act that the U.S. Senate is working to pass this week, it is clear that public-private partnerships ("P3s") are a favored funding mechanism of lawmakers to help offset high costs associated with major infrastructure projects in communities. And while past infrastructure bills have used P3s for more conventional projects, the current bill also calls for P3s to help pay for protecting the U.S. electric grid from cyberattacks. Responding to the increasing number of cyberattacks on our nation’s infrastructure, and given the fragile physical condition of our electrical grid, the Senate included provisions to help state, local and tribal entities harden electrical grids for which they are responsible.
Section 40121, Enhancing Grid Security Through Public-Private Partnerships, calls for not only physical protections of electrical grids, but also for enhancing cyber-resilience. This section seeks to encourage the various federal, state and local regulatory authorities, as well as industry participants to engage in a program that audits and assesses the physical security and cybersecurity of utilities, conducts threat assessments to identify and mitigate vulnerabilities, and provides cybersecurity training to utilities. Further, the section calls for strengthening supply chain security, protecting “defense critical” electrical infrastructure and buttressing against a constant barrage of cyberattacks on the grid. In determining the nature of the partnership arrangement, the size of the utility and the area served will be considered, with priority going to utilities with fewer available resources.
Section 40122 compliments the previous section as it seeks to incentivize testing of cybersecurity products meant to be used in the energy sector, including SCADA systems, and to find ways to mitigate any vulnerabilities identified by the testing. Intended as a voluntary program, utilities would be offered technical assistance and databases of vulnerabilities and best practices would be created. Section 40123 incentivizes investment in advanced cybersecurity technology to strengthen the security and resiliency of grid systems through rate adjustments that would be studied and approved by the Secretary of Energy and other relevant Commissions, Councils and Associations.
Lastly, Section 40124, a long sought-after package of cybersecurity grants for state, local and tribal entities is included in the bill. This section adds language that would enable state, local and tribal bodies to apply for funds to upgrade aging computer equipment and software, particularly related to utilities, as they face growing threats of ransomware, denial of service and other cyberattacks. However, under Section 40126, cybersecurity grants may be tied to meeting various security standards established by the Secretary of Homeland Security, and/or submission of a cybersecurity plan by a grant applicant that shows “maturity” in understanding the cyber threat they face and a sophisticated approach to utilizing the grant.
While the final outcome of the Infrastructure Investment and Jobs Act may still be weeks or months away, inclusion of these provisions not only demonstrates a positive step forward for the application of federal P3s and grants generally, they also show that Congress recognizes the seriousness of the cyber threats our electrical grids face. Hopefully, through judicious application of both public-private partnerships and grants, the nation can quickly secure its infrastructure from cyberattacks.